[OpenID] differentiating users
Nate Klingenstein
ndk at internet2.edu
Wed May 21 22:58:45 UTC 2008
Steven,
Federated identity is full of network effects. This is one of them.
The more people that understand an attribute you're using, the more
powerful it is. On the other hand, many applications and communities
have attributes that carry nuances not shared with the rest of the
world, so they can't recycle an existing attribute. We have
eduPersonEntitlement for precisely this use case, and you're welcome
to look at it, but it's probably outside your domain.
I like URL's for attribute names because they could be easily
resolved to acquire more information about the attribute someday.
OpenID's AX supports that well already.
Deciding which attribute to use, what to name it, and whether to
recycle is an art and not a science, though. Sometimes it's more
effective to keep fine-grained attributes and permissions at the
service, as well. Some things aren't meant to be centralized. Look
at the successful and failed attributes the LDAP/X.500 world ended up
with for some good examples on where to draw the line. Perhaps in
your case:
openid.ax.type.(applicationName)Role=http://yourdomain.org/
applicationName/Role
openid.ax.value.(applicationNameRole)=private
Have fun in the colorful world of attributes,
Nate.
On 21 May 2008, at 19:58, Steven Livingstone-Perez wrote:
> I had considered that some attribute “role” with a value
> yourdomain.org/private and yourdomain.org/public could be
> universally understood (due to the namespace uniqueness). Even
> without the namespace this could be useful!
>
> Has anyone got more info on how that have , or perhaps intend to
> accomplish this?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20080521/8fcb7936/attachment-0002.htm>
More information about the general
mailing list